b"   U.S. ELECTION ASSISTANCE COMMISSION \n\n        OFFICE OF INSPECTOR GENERAL\n\n\n\n\n\n                        FINAL REPORT:\n              U.S. ELECTION ASSISTANCE COMMISSION\n\n\n             COMPLIANCE WITH THE REQUIREMENTS OF\n\n      THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n                       FISCAL YEAR 2010\n\n\n\n\nNO. I-PA-EAC-02-10\nOCTOBER 2010\n\x0c                          U.S. ELECTION ASSISTANCE COMMISSION\n\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                 1201 New York Ave. NW - Suite 300 \n\n                                       Washington, DC 20005\n\n\n\n\n\n                                                                                  October 27, 2010\n\n\nMemorandum\n\nTo:         \tDonetta Davidson\n             Chair, U.S. Election Assistance Commission\n\nFrom:\t      Curtis W. Crider\n            Inspector General\n\nSubject:    Final Report \xe2\x80\x93U.S. Election Assistance Commission\xe2\x80\x99s Compliance with the\n            Requirements of the Federal Information Security Management Act (Assignment No.\n            I-PA-EAC-02-10)\n\n       We contracted with the independent certified public accounting firm of Leon Snead &\nCo. (LSC) to conduct the audit of the U.S. Election Assistance Commission\xe2\x80\x99s (EAC) compliance\nwith the requirements of the Federal Information Security Management Act (FISMA). LSC\nfound that EAC information technology security program is in substantial compliance with\nFISMA. The audit noted that EAC took actions to address control weaknesses identified in the\n2009 FISMA audit. However, EAC still needs to complete corrective action in two areas: (1)\nThe agency\xe2\x80\x99s contingency planning and testing, and (2) compliance with Personal Identification\nInformation and Privacy Act requirements.\n\n        In its October 8, 2010 response to the draft report (Attachment 2) the EAC generally\nconcurred with the recommendations and provided the actions planned to address the issues\nidentified in the report. Based on the response we consider the recommendations in the report\nresolved but not implemented. The OIG will monitor the implementation of the\nrecommendations.\n\n        The legislation, as amended, creating the Office of Inspector General (5 U.S.C. \xc2\xa7 App.3)\nrequires semiannual reporting to Congress on all reports issued, actions taken to implement\nrecommendations, and recommendations that have not been implemented. Therefore, this report\nwill be included in our next semiannual report to Congress.\n\n         If you have any questions regarding this report, please call me at (202) 566-3125.\n\x0cU.S. Election Assistance Commission\n       Compliance with the Requirements of\n\n the Federal Information Security Management Act\n\n\n                  Fiscal Year 2010\n\n\n\n\n\n                     Submitted By\n\n\n               Leon Snead & Company, P.C.\n\n  Certified Public Accountants & Management Consultants\n\x0cLEON SNEAD                                                                                       C<>1ified Public Accountants\n                                                                  & Managemenl\n& COMPANY, P.C. ______________________________________________________     ____Consultal1ts\n                                                                                    ___                 ~\n\n\n\n\n416 Hungerford Drive , Suite 400\nRoch;lIe. Mar),land 20850\n301\xc2\xb7738\xc2\xb78190\nfax: 301\xc2\xb7738\xc2\xb78210\nleonsnead.companypc@erols.com\n\n\n\n\n                                                               October 12, 20 I 0\n\n\n\n\n             Mr. Curtis W. Crider\n             Inspector General\n             U.S. Election Assistance Commission\n             1440 New York Ave, N.W. , Suite 203\n             Washington, DC 20005\n\n\n             Dear Mr. Crider:\n\n             Enclosed is the final report on our audit of U.S. Election Assistance Commission's compliance\n             with the Federal Information Security Management Act for fiscal year 2010.\n\n             We appreciate the courtesies and cooperation provided by EAC personnel during the audit.\n\n\n\n\n                                                                '~ ~~C'2>II1;4f1 P,? fJc\n                                                                Leon Snead & Company, P.C.\n\x0c                                                    TABLE OF CONTENTS\n\n\n\n\n\n                                                                                                                                            Page\n\n\nIntroduction ......................................................................................................................................1\n\nObjective, Scope and Methodology .................................................................................................1\n\nSummary of Audit............................................................................................................................2\n\nFindings and Recommendations ......................................................................................................3\n\nAttachment 1 \xe2\x80\x93 Status of Prior Year Findings .................................................................................6\n\nAttachment 2 \xe2\x80\x93 Response to Audit ..................................................................................................7\n\n\n\n\nLeon Snead & Company, P.C.                                               i\n\x0cIntroduction\n\nLeon Snead & Company, P.C. has completed its audit of EAC\xe2\x80\x99s Information Technology (IT)\nsecurity program for fiscal year 2010.\n\nTitle III of the E-Government Act, entitled the Federal Information Security Management Act\n(FISMA) requires each Federal agency to develop, document, and implement an agency-wide\nprogram to provide security for information and information systems that support the operations\nand assets of the agency, including those systems managed by another agency or contractor.\nFISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology\nManagement Reform Act of 1996, emphasize a risk-based policy for cost-effective security. In\nsupport of and reinforcing this legislation, the Office of Management and Budget (OMB)\nthrough Circular A-130, Management of Federal Information Resources, Appendix III, Security\nof Federal Automated Information Resources, requires executive agencies within the Federal\ngovernment to:\n\n   \xe2\x80\xa2\t   Plan for security;\n   \xe2\x80\xa2\t   Ensure that appropriate officials are assigned security responsibility;\n   \xe2\x80\xa2\t   Periodically review the security controls in their information systems; and\n   \xe2\x80\xa2\t   Authorize system processing prior to operations and, periodically, thereafter.\n\nThe EAC is an independent, bipartisan agency created by the Help America Vote Act (HAVA)\nto assist in the effective administration of Federal elections. In October 2002, Congress passed\nHAVA to invest in election infrastructure and set forth a comprehensive program of funding,\nguidance, and ongoing research. To foster those programs and to promote and enhance voting\nfor United States Citizens, HAVA established the EAC.\n\nEAC\xe2\x80\x99S mission is to assist in the effective administration of Federal elections. The agency is\ncharged with developing guidance to meet HAVA requirements, adopting voluntary voting\nsystems guidelines, and serving as a national clearinghouse of information about election\nadministration. EAC also accredits testing laboratories and certifies voting systems and audits\nthe use of HAVA funds.\n\nObjective\n\nThe objective of our audit was to evaluate EAC\xe2\x80\x99s compliance with OMB Circular A-130 and\nFISMA requirements.\n\nScope and Methodology\n\nTo accomplish the objective, we reviewed EAC policies and procedures, and performed tests to\ndetermine whether:\n\n   \xe2\x80\xa2\t EAC policies and procedures were adequate to establish an agency-wide IT security\n      program in accordance with OMB requirements.\n\n\n\n\nLeon Snead & Company, P.C.\t                      1\n\x0c   \xe2\x80\xa2\t EAC personnel assessed the risk to operations and assets under their control, assigned a\n      level of risk to the systems, tested and evaluated security controls and techniques,\n      implemented an up-to-date security plan for each major application and general support\n      system, and performed certification and accreditation of the agency\xe2\x80\x99s systems.\n   \xe2\x80\xa2\t EAC developed, documented, and tested comprehensive contingency plans for the\n\n      agency\xe2\x80\x99s information systems.\n\n   \xe2\x80\xa2\t EAC provided security awareness training to all employees and contractors, and provided\n      sufficient specialized training to key IT security personnel.\n   \xe2\x80\xa2\t EAC established a continuous monitoring program, including whether the agency\n\n      monitored scanning results and corrected vulnerabilities, as necessary.\n\n   \xe2\x80\xa2\t EAC designed and implemented access controls effectively.\n   \xe2\x80\xa2\t EAC met OMB requirements for securing sensitive personal identifying information and\n      Privacy Act requirements.\n\nThe audit was performed in accordance with Government Auditing Standards, and included\nappropriate tests necessary to achieve the audit objective. Other criteria used in the audit\nincluded the National Institute of Standards and Technology (NIST) guidance, and OMB\nMemorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, dated April 21, 2010.\n\nSummary of Audit\n\nWhile the EAC IT security program is now in substantial compliance with FISMA, the agency\nremained at risk for a substantial portion of 2010. Our audit found that EAC had implemented\nactions to address control weaknesses identified in our 2009 report except for: (1) the testing and\nexercise of the recently completed contingency plan; and (2) compliance with required OMB PII\nand Privacy Act controls. EAC delayed implementation of planned corrective actions until it\nhired a Chief Information Officer (CIO) about June 2010. As a result, many of the weaknesses\nidentified in 2009 continued for a significant portion of the 2010 fiscal year.\n\nEAC officials in a response to the draft report advised that the agency is committed to\nestablishing and maintaining an agency-wide program to provide security for information and\ninformation systems that support the operations and assets of the agency, including those systems\nmanaged by another agency or contractor. EAC officials advised that as part of this effort, EAC\nhired a Chief Information Officer (CIO) and developed, documented, and implemented its\nagency-wide Information Security Program. EAC officials agreed with the recommendations to\ncomplete the EAC contingency plan by the end of the calendar year, and update the contingency\nplan based on the results of testing, and to bring the EAC into full compliance with OMB PII\nregulations and Privacy Act requirements. The agency plans to be in full compliance by the end\nof the calendar year 2010.\n\n\n\n\nLeon Snead & Company, P.C.\t                      2\n\x0cFINDINGS AND RECOMMENDATIONS\n\n1. IT Security Program Improved but Additional Controls are Necessary\n\n   EAC has corrected most of the significant control weaknesses identified during our audit in\n   2009 that impacted the agency\xe2\x80\x99s IT security program. While the EAC IT security program is\n   now in substantial compliance with FISMA, the agency was at risk for a substantial portion\n   of fiscal year 2010. The agency delayed completion of corrective actions until the CIO was\n   hired in about June 2010. Also, EAC has not yet completed required actions to test the\n   newly completed contingency plan, or implemented controls for compliance with PII and\n   Privacy Act requirements.\n\n   As part of our audit, we assessed whether EAC had taken action to address the problems we\n   identified in 2009 with the agency\xe2\x80\x99s agency-wide IT security program. For each of the\n   security control areas established by Federal Information Processing Standards (FIPS) 200,\n   Minimum Security Requirements for Federal Information and Information System, we\n   determined if actions taken by EAC brought the agency into substantial compliance with the\n   control requirements contained in NIST Special Publication (SP) 800-53, Recommended\n   Security Controls for Federal Information Systems and Organizations. The table below\n   shows our determinations for 2010.\n\n            CONTROL REQUIREMENT                                      Compliance Determination\n            Access Control                                           Substantial Compliance\n            Awareness and Training                                   Substantial Compliance\n            Audit and Accountability                                 Substantial Compliance\n            Certification, Accreditation, and Security Assessments   Substantial Compliance\n            Configuration Management                                 Substantial Compliance\n            Contingency Planning                                     Partial Compliance\n            Identification and Authentication                        Substantial Compliance\n            Incident Response                                        Substantial Compliance\n            Maintenance                                              Substantial Compliance\n            Media Protection                                         Substantial Compliance\n            Physical and Environmental Protection                    Substantial Compliance\n            Planning                                                 Substantial Compliance\n            Personnel Security                                       Substantial Compliance\n            Risk Assessment                                          Substantial Compliance\n            System and Services Acquisition                          Substantial Compliance\n            System and Communications Protection                     Substantial Compliance\n            System and Information Integrity                         Substantial Compliance\n\n\n   As noted above, we rated the contingency planning as partial compliance because the plan\n   was only recently completed and has not yet undergone testing. EAC has developed testing\n   and exercise plans, and once these tests are completed, analyzed, and any necessary\n   adjustments made to the plan, EAC will be in compliance with this control area.\n\n\n\nLeon Snead & Company, P.C.                            3\n\x0c   In our 2009 audit, we reported that EAC was not in compliance with OMB requirements\n   dealing with securing PII data and certain requirements of the Privacy Act. We performed\n   audit tests to determine whether EAC had taken actions to come into substantial compliance\n   with these requirements. EAC\xe2\x80\x99s privacy officer advised us that the agency was moving to\n   come into full compliance with OMB and Privacy Act requirements, but all actions are not\n   yet completed. The following table shows the 2009 problem areas, the actions EAC has\n   taken, and those areas where additional corrective actions are necessary.\n\n     OMB              Requirement                      EAC Actions in 2010              Auditor Comments\n     Guidance\n     M-07-16, dated   Requires agency to develop       EAC has published a policy       EAC meets requirement.\n     May 22, 2007     and implement a breach           on this matter.\n                      notification.\n                      Review current PII               EAC completed a review in        EAC meets requirement.\n                      holdings and determine if        2010, and has taken actions to\n                      holdings are accurate,           reduce holdings.\n                      relevant and reduce the PII\n                      holdings to minimum\n                      necessary.\n                      Encrypt data on mobile           EAC has purchased encrypted      EAC meets requirement.\n                      computers.                       drives, and does not maintain\n                                                       PII data on Hard Drive.\n                      Require two-factor               EAC was required by GSA to       EAC meets requirement.\n                      authentication.                  implement this requirement.\n\n                      Require all personnel with       EAC has training and requires    EAC meets requirement.\n                      access to PII to sign at least   personnel to authenticate\n                      annually a document that         security awareness and\n                      describes rules of behavior      privacy training.\n                      on PII.\n                      Develop and publish a            EAC has a internal policy but    EAC is not in full\n                      \xe2\x80\x9croutine use\xe2\x80\x9d policy dealing     has not published a \xe2\x80\x9croutine     compliance with this\n                      with breach of security          use\xe2\x80\x9d policy in the federal       area.\n                      relating to PII data,            register\n                      including actions taken for\n                      individuals affected by the\n                      breach.\n     OMB Circular     Publish and review               EAC has not yet published its    EAC is not in full\n     A-130            biennially each system of        system of records.               compliance with this\n                      records notice to ensure                                          area.\n                      that it accurately describes\n                      the system of records.\n                      Review every four years          EAC has not yet published its    EAC is not in full\n                      the routine use disclosures      system of records.               compliance with this\n                      associated with each system                                       area.\n                      of records in order to\n                      ensure that the recipient's\n                      use of such records\n                      continues to be compatible\n                      with the purpose for which\n                      the disclosing agency\n                      collected the information.\n\n\n\nLeon Snead & Company, P.C.                              4\n\x0c      OMB             Requirement                    EAC Actions in 2010          Auditor Comments\n      Guidance\n      OMB             Conduct privacy impact         EAC has not yet completed    EAC is not in full\n      Memorandum      assessments for electronic     this assessment.             compliance with this\n      03-22           information systems and                                     area.\n                      collections and, in general,\n                      make them publicly\n                      available.\n\n                      Post privacy policies on       EAC has posted on website.   EAC meets requirement.\n                      agency websites used by\n                      the public.\n\n\n   EAC has written policies and procedures, and developed and implemented necessary controls\n   to bring its IT security program, as of the end of fiscal year 2010, into substantial compliance\n   with FISMA requirements. As discussed above, EAC needs to continue to take actions to\n   bring itself into compliance with OMB directives dealing with PII and Privacy Act\n   requirements. At the end of 2010, EAC has developed a foundation for its IT security\n   program that, as its IT operations mature, will enable EAC to sustain compliance with\n   FISMA requirements.\n\n   Recommendations:\n\n   1.\t Assure that the testing and exercise of the recently completed EAC contingency plan is\n       accomplished by the end of the calendar year. Update the plan based upon the results of\n       this testing.\n\n   2.\t Emphasize the completion of actions necessary to bring the EAC into full compliance\n       with OMB PII regulations and Privacy Act requirements.\n\n   Agency Response\n\n   The Executive Director, in a response to the draft report, advised that the agency is\n   committed to establishing and maintaining an agency-wide program to provide security for\n   information and information systems that support the operations and assets of the agency,\n   including those systems managed by another agency or contractor. The Executive Director\n   advised that as part of this effort, EAC hired a Chief Information Officer (CIO) and\n   developed, documented, and implemented its agency-wide Information Security Program.\n\n   EAC officials agreed with the recommendations to complete the EAC contingency plan by\n   the end of the calendar year, update the contingency plan based on the results of testing, and\n   to bring the EAC into full compliance with OMB PII regulations and Privacy Act\n   requirements. The agency plans to be in full compliance by the end of the calendar year\n   2010.\n\n\n\n\nLeon Snead & Company, P.C.\t                           5\n\x0c                                                                                                     Attachment 1\n\n\n\n    Status of Prior Year Findings\n\nNo.      Prior Year Condition                                     Current Status\n\n\n         IT Security Program Improved but Additional Controls     EAC officials took action to correct this\n1        are Necessary.                                           problem.\n         An agency-wide information security program in           EAC officials took action to correct this\n2        compliance with FISMA has not been developed. A          problem.\n         security management structure with adequate\n         independence, authority, and expertise which is\n         assigned in writing has not been implemented.\n\n3        Policies or procedures for information security or       EAC officials took action to correct this\n         privacy management have not been developed. Per the      problem.\n         terms of the MOU, the GSA procedures will prevail\n         where there are not guiding policies provided by the\n         user organization.\n\n4        A Continuity of Operations Plan, Disaster Recovery       EAC has completed a contingency plan, but has\n         Plan, or Business Impact Assessment has not been         not yet tested the plan.\n         developed.\n5        FDCC requirements were not met.                          EAC officials took action to correct this\n                                                                  problem.\n6        Access Controls and Remote Access Need                   EAC officials took action to correct this\n         Strengthening                                            problem.\n7        Security Risk Assessments Need to be Finalized and       EAC officials took action to correct this\n         Used to Develop Controls                                 problem.\n\n8        EAC is not fully compliant with several Privacy Act      EAC officials took action to correct some but\n         Requirements including:                                  not all of these problems. Issue remains open.\n         \xe2\x80\xa2 A Chief Privacy Officer with the responsibility for\n            monitoring and enforcing privacy related policies\n            and procedures have not been designated.\n         \xe2\x80\xa2 EAC has not identified systems housing personally\n            identifiable information or conducted related\n            Privacy Impact Assessments required by OMB\n            Memorandum 06-16.\n         \xe2\x80\xa2 EAC has not developed formal policies that\n            address the information protection needs associated\n            with personally identifiable information that is\n            accessed remotely or physically removed.\n9        Establish Controls to Ensure Audit and Accountability    EAC officials took action to correct this\n                                                                  problem.\n10       Restrict Access to Network Devices                       EAC officials took action to correct this\n                                                                  problem.\n\n\n\n\n    Leon Snead & Company, P.C.                            6\n\x0c                                                                                 Attachment 2\n\n\n\n\n                              U. S. ELECTION ASSISTANCE COMMISSION\n                                OFFICE OF THE EXECUTIVE DIRECTOR\n                                 1201 New York Avenue, NW, Suite 300\n                                         Washington, DC. 20005\n\n\n\nOctober 8, 2010\n\n\nMemorandum\n\nTo:\t       Arnie G. Garza\n           Assistant Inspector General for Audits\n\n\nFrom:\t     Thomas R. Wilkey\n           Executive Director\n\nSubject: \t Management Response to: Draft Audit Report \xe2\x80\x93 U.S. Election Assistance\n           Commission Audit of Compliance with the Requirement of the Federal\n           Information Security Management Act (FISMA) Fiscal Year 2010\n           (Assignment No.I \xe2\x80\x93 PA-EAC-02-10).\n\nThe U.S. Election Assistance Commission (EAC) appreciates the opportunity to review the\ndraft report on the audit of the Federal Information Security Management Act (FISMA) for FY\n2010. We have reviewed the draft report. Responses to the recommendations are provided\nbelow.\n\nAs part of the audit, the auditor assessed whether EAC had taken action to address the issues\nidentified in fiscal year (FY) 2009 with EAC\xe2\x80\x99s agency-wide IT security program. The review\nindicated that EAC has corrected most of the significant issues but needs to implement corrective\nactions in two major areas. The first area deals with the agency\xe2\x80\x99s contingency planning and\ntesting. The second area involves the agency\xe2\x80\x99s compliance with Personal Identification\nInformation (PII) and Privacy Act requirements.\n\nThe auditor rated contingency planning as in partial compliance since the plan was only recently\ncompleted and has not yet undergone testing. EAC has developed its testing criteria for the plan\nand will be in compliance with the control requirements once the tests are completed, results\nanalyzed, and necessary adjustments made to the plan.\n\nThe auditor also determined that PII regulations and Privacy Act requirements are in partial\ncompliance since additional actions are needed to bring the agency into full\n\n\nLeon Snead & Company, P.C.\t                    7\n\x0c                                                                                  Attachment 2\n\n\n\ncompliance with Office of Management and Budget (OMB) requirements dealing with securing\nPII data and certain requirements of the Privacy Act.\n\n\nAuditor\xe2\x80\x99s Recommendations:\n\n       1.\t Assure that the testing and exercise of the recently completed EAC contingency plan\n           is accomplished by the end of the calendar year. Update the plan based upon the\n           results of the testing.\n       2.\t Emphasize the completion of actions necessary to bring the EAC into full\n\n           compliance with OMB PII regulations and Privacy Act requirements.\n\n\n\nManagement\xe2\x80\x99s Response:\n\nEAC is committed to establishing and maintaining an agency-wide program to provide\nsecurity for information and information systems that support the operations and assets of the\nagency, including those systems managed by another agency or contractor. As part of this\neffort, EAC hired an experienced Chief Information Officer (CIO) and developed,\ndocumented, and implemented its agency-wide Information Security Program. We appreciate\nthe auditor\xe2\x80\x99s acknowledging the significant progress made by EAC to resolve FY 2009\nFISMA audit findings. Below is our response to FY 2010 FISMA audit recommendations.\n\n       1.\t Management agrees with the recommendations to complete the EAC contingency\n           plan by the end of the calendar year, and update the contingency plan based on the\n           results of testing.\n       2.\t Management agrees with the recommendation to bring the EAC into full compliance\n           with OMB PII regulations and Privacy Act requirements. The agency plans to be in\n           full compliance by the end of the calendar year 2010.\n\n\nccs:         Tom Heideman (via e-mail)\n             Curtis Crider (via e-mail)\n             Alice Miller (via e-mail)\n             Mohammed Maeruf (via e-mail)\n\n\n\n\nLeon Snead & Company, P.C.\t                      8\n\x0c                      The OIG audit mission is to provide timely, high-quality\n                      professional products and services that are useful to OIG\xe2\x80\x99s clients.\n                      OIG seeks to provide value through its work, which is designed to\n                      enhance the economy, efficiency, and effectiveness in EAC\nOIG\xe2\x80\x99s Mission         operations so they work better and cost less in the context of\n                      today's declining resources. OIG also seeks to detect and prevent\n                      fraud, waste, abuse, and mismanagement in these programs and\n                      operations. Products and services include traditional financial and\n                      performance audits, contract and grant audits, information systems\n                      audits, and evaluations.\n\n\n                      Copies of OIG reports can be requested by e-mail.\n                      (eacoig@eac.gov).\n\n                      Mail orders should be sent to:\nObtaining\nCopies of             U.S. Election Assistance Commission\n                      Office of Inspector General\nOIG Reports\n                      1201 New York Ave. NW - Suite 300\n                      Washington, DC 20005\n                      To order by phone: Voice: (202) 566-3100\n                                          Fax: (202) 566-0957\n\n\nTo Report Fraud,      By Mail: \tU.S. Election Assistance Commission\nWaste and Abuse                 Office of Inspector General\nInvolving the U.S.              1201 New York Ave. NW - Suite 300\nElection Assistance             Washington, DC 20005\nCommission or Help\n                      E-mail:   eacoig@eac.gov\nAmerica Vote Act\nFunds                 OIG Hotline: 866-552-0004 (toll free)\n\n                      FAX: 202-566-0957\n\x0c"